Vendor Risk Management: Urgent Issue for Small Finance Banks

The recent data breach that exposed information on 2.6 million customers of Bangalore-based Jana Small Finance Bank points to the need for banks to ramp up their vendor risk management efforts, security analysts say.

A data breach at the bank, which serves 4 million customers across India, was brought to light when the consultancy Security Discovery reported on July 23 that data on 2.6 million bank customers had been exposed through a third-party wallet platform vendor's server that was not adequately protected by a password.

Ashwin Khorana, CIO at Jana Small Finance Bank, tells Information Security Media Group: "Our vendor used this data [that was exposed] for testing purposes. It belonged to our Wallet business, which we are out of since 2018." He declined to identify the vendor involved.

He acknowledges, however, that it's critical for banks to have stronger management and control measure in place to avoid leaks of data in rest from vendor managed environments .

Third-Party Risks

Breaches stemming from third-party risks are a serious risk for small finance banks that rely on vendors for many services because they lack their own resources.

Bengaluru-based Ratan Jyoti, CISO at Ujjivan Small Finance Bank, notes: "Since these banks integrate with third parties for all their services, including payment services, fintech companies for innovative products, cloud services, micro finance and lending services, etc., the security risks are going to rise if the third-party security posture is weak and not governed properly."

The 12 RBI-licensed small finance banks in India extend basic banking services to farmers, micro and small industries and others through high-tech/low cost operations. The Jana incident is a wake-up call to ensure that a stringent risk assessment framework is built before outsourcing services to a third-party vendor.

Damage to Reputation

"As soon as the data availability got highlighted by Security Discovery team, the bank security team identified the source of leak which was a vendor managed server on the cloud. The vendor was instructed to delete the test data and shut down the server instance. The vendor has been issued a legal notice for not protecting and deleting the data after the job was completed in January 2018," he added.

A similar data exposure incident was reported last year. Customer data at Thrissur-based ESAF Microfinance, a small finance bank, was allegedly hacked by the group SERGEANT Phre4k, which accessed a third-party vendor platform.

According to a threat researcher, the group gained control of ESAF's network by logging into the vendor's server and then exfiltrated customer data, which was posted on pastebin.com.

"Most of them fail to assess the risk posture that vendors bring in, and hence such breaches cannot be ruled out, he says. "In case of Jana Bank breach also, the researcher used a simple open-source tool search engine to access the vendor's nonsecure server."

Ramping Up Vendor Risk Management

To beef up its effort in managing third parties, Jana Bank, had altered its outsourcing model in April 2018. This model provides better governance and control of its data, Khorana says.

"Our new partners are Wipro, Cognizant, Precision and Clover Technologies.Their teams are stationed in our office premises to work with Bank's security team for deploying any kind of technologies or tools in protecting data and supporting us," Khorana says.

Khorana adds: "We have signed stringent SLAs with our data center partners as well and conduct periodic audits and vulnerability assessments and pen tests.

Jyoti of Ujjivan Small Finance Bank says vendor risk management must involve "analyzing all possible gaps in the security posture of the vendor as a pre-on boarding risk assessment strategy."

He recommends banks adopt a "security by design" approach and take steps to analyze the entire application and security life cycle of their vendor partners.

About the Author

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.